MCP agents move across tools and trust boundaries quickly, so forwarded tokens and broad roles can outlive the task they were meant to support. That widens blast radius and exposes secrets through intermediaries. Teams should treat token audience validation, direct server checks, and scoped delegation as baseline controls.
Why This Matters for Security Teams
MCP changes the security problem because it turns a single request into a chain of tool calls, handoffs, and intermediate trust decisions. In that path, a token that was acceptable for one server or one moment can be forwarded into a different context where it is no longer appropriate. That is why token audience validation, direct server trust checks, and scoped delegation matter so much in agentic environments.
This is not a theoretical edge case. NHIMG research in Guide to the Secret Sprawl Challenge shows how fast AI-related credential exposure is accelerating, and the same pattern appears in agent workflows where secrets move faster than governance. The issue aligns with OWASP Agentic AI Top 10 and the NIST Cybersecurity Framework 2.0 emphasis on access control, monitoring, and response.
In practice, many security teams encounter token leakage only after an MCP-connected agent has already reused broader access than anyone intended.
How It Works in Practice
The risk rises because autonomous agents do not behave like fixed-service accounts. They may inspect a prompt, call a connector, hand data to another tool, and continue operating with whatever credential material is still available. Static RBAC is therefore a poor fit on its own. Current guidance suggests moving toward intent-based authorisation, where access is decided at runtime from the task, destination, and policy context rather than a preassigned role.
Operationally, that means using JIT credentials, short TTL secrets, and workload identity instead of long-lived tokens that can be replayed after the task finishes. An agent should prove what it is through workload identity, then receive the minimum capability needed for the current step. In mature setups, policy evaluation happens at request time using policy-as-code, with explicit approval gates for privileged tool calls. This is consistent with OWASP Non-Human Identity Top 10 and the agent governance direction in NIST Cybersecurity Framework 2.0.
NHIMG analysis in 52 NHI Breaches Analysis shows the same pattern in real incidents: once a secret is usable beyond its intended audience, the blast radius expands quickly. A relevant example is the Salesloft OAuth token breach, where token reuse became the path to broader access.
- Bind tokens to a single audience and reject forwarding by default.
- Issue per-task credentials and revoke them when the task completes.
- Separate read, write, and administrative scopes for agent tools.
- Log every downstream tool invocation with agent identity and purpose.
These controls tend to break down in multi-tenant MCP brokers, where one intermediary services many tools and cannot enforce per-server trust with enough granularity.
Common Variations and Edge Cases
Tighter delegation often increases operational overhead, requiring organisations to balance containment against latency, integration complexity, and developer friction. That tradeoff is real, especially when teams want agents to move quickly across repositories, SaaS APIs, and internal services.
There is no universal standard for this yet, but best practice is evolving around three patterns: least-privilege tool scopes, ephemeral credentials, and policy checks at each hop. The OWASP Agentic Applications Top 10 is useful for mapping over-permission and indirect prompt-driven access paths, while Anthropic — first AI-orchestrated cyber espionage campaign report illustrates how autonomous workflows can chain ordinary access into abnormal outcomes.
Edge cases appear when teams cache tokens for performance, share connectors across multiple agents, or allow one agent to broker access for another. In those environments, overpermission becomes harder to see because the privilege is hidden in the intermediary rather than assigned directly to the workload. That is why the Guide to the Secret Sprawl Challenge matters: MCP risk is not just leakage, it is also quiet privilege accumulation across the path.
In practice, the hardest failures show up where teams optimize for convenience first and only discover the access model after an agent has already acted beyond its intended scope.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Addresses over-permission and unsafe tool use in autonomous agent flows. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers NHI credential scope, rotation, and misuse across trust boundaries. |
| NIST AI RMF | Frames governance for autonomous AI behaviour and runtime risk control. |
Assign owners, define runtime policy checks, and monitor agent actions against intended purpose.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
